You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@zookeeper.apache.org by "Patrick D. Hunt (Jira)" <ji...@apache.org> on 2020/04/13 21:59:00 UTC
[jira] [Assigned] (ZOOKEEPER-3794) upgrade netty to address
CVE-2020-11612
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3794?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Patrick D. Hunt reassigned ZOOKEEPER-3794:
------------------------------------------
Assignee: Patrick D. Hunt
> upgrade netty to address CVE-2020-11612
> ---------------------------------------
>
> Key: ZOOKEEPER-3794
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3794
> Project: ZooKeeper
> Issue Type: Task
> Components: security
> Reporter: Patrick D. Hunt
> Assignee: Patrick D. Hunt
> Priority: Blocker
>
> The owasp checker is failing with the following. I looked and seems like a DOS attack vector "The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder."
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check (default-cli) on project zookeeper:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0':
> [ERROR]
> [ERROR] netty-handler-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-common-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-buffer-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-transport-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-resolver-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-codec-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-transport-native-epoll-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-transport-native-unix-common-4.1.45.Final.jar: CVE-2020-11612
> [ERROR]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)